Observations on articles I read to keep current about technology. My interests are: Privacy, security, business, the computer industry, and geeky stuff that catches my eye.

I don't think I have an agenda beyond my own amusement.

Note that I lump all my comments into a single post. This is not a typical BLOG technique, It's just an indication that I'm lazy.

Wednesday, June 13, 2012

Have I mentioned that management seems
unable to accurately determine the scope of a security breach prior
to the first announcement? If I was a true cynic, I would suspect
they wanted to keep the really bad stuff hidden at first, hoping that
no one would notice when they finally disclosed it. Apparently, they
store data for some customers that goes beyond that needed to
complete the credit card transaction.

Credit card processor Global Payments
said today that in the course of investigating the theft of 1.5
million credit card numbers, it has discovered that hackers may also
have stolen consumer data from servers.

"Our ongoing investigation
recently revealed potential unauthorized access [Does
that mean they may have accessed the data or that they may have been
authorized to access the data? Bob] to personal
information collected from a subset of merchant applicants," the
company said in a
statement on its Web site.

"It is unclear
whether the intruders looked at or took any personal information from
the company's systems [You have no log of activity on your system?
Bob]

[May 10, 2012] - The Internet Crime
Complaint Center (IC3) released the 2011
Internet Crime Report — an overview of the latest data and
trends of online criminal activity. According to the report, 2011
marked the third year in a row that the IC3 received more than
300,000 complaints. The 314,246 complaints represent a 3.4 percent
increase over 2010. The reported dollar loss was $485.3 million. As
more Internet crimes are reported, IC3 can better assist law
enforcement in the apprehension and prosecution of those responsible
for perpetrating Internet crime."

Sounds fair to me, but also suggests an
ever increasing “war” of video recordings... (Is someone
tracking who is using video to lie?)

"Posting videos to YouTube
allegedly showing police misconduct has become commonplace these
days. Now police
themselves are posting their own videos to refute misconduct claims.
'After a dozen Occupy Minnesota protesters were arrested at a
downtown demonstration, the group quickly took to the Internet,
posting video that activists said showed police treating them roughly
and never warning them to leave. But Minneapolis police knew
warnings had been given. And they had their own video to prove it.
So they posted the footage on YouTube, an example of how law
enforcement agencies nationwide are embracing online video to cast
doubt on false claims and offer their own perspective to the
public.'"

On June 4th I posted this
article: “UK: Google was allowed to destroy data haul
after ICO spent less than three hours examining information collected
by Street Cars ” Looks like several people found that
inadequate.

Google is back under investigation after gathering personal data
while cameras on its cars took pictures for its UK Street View
service.

The Information
Commissioner’s Office previously dropped a probe into the affair
after being told limited data had been “mistakenly collected”.

However, it said
it had since become aware of reports that a Google engineer had
deliberately written software to obtain a wider range of material.

The ICO has asked
for more information.

Specifically it
wants to know what type of data was captured; when Google managers
became aware of the issue; how the news was managed and why the full
range of gathered data was not represented in a sample the firm
presented to it in 2010.

Furthermore it has
requested a certificate to show that the data had since been
destroyed.

It’s hard not to view this as
anything more than “Data Protection Theater.” I don’t recall
ever seeing anyone use that phrase before, but it seems like a useful
generalization from “security theater” to describe things
governments do that are supposed to protect our data and privacy but
don’t.

In this case, the ICO had an
opportunity to really investigate the Street View mess but did only
minimal investigation. Now it’s embarrassed after the FCC report
was released and is making a show of looking into this more. Did the
ICO ever ask Google to sign an affidavit attesting that the sample
presented represented the full range of data types gathered?
According to the ICO’s
letter to Google, Google misled them. Now they’re asking to
see design documents and a whole lot more.

That said, I don’t expect anything
really useful to come out of this investigation other than to
accomplish some egg-removing from the ICO’s face.

(Related) “Oops! Looks like we
accidentally designed our software to work like Google Street
View...”

Sophie Curtis reports that Virgin Media
has clarified its Terms & Conditions to make clear that they
never intended to snoop on communications, even though
their T&C appeared to reserve that right unrestrictedly:

Virgin Media has
amended a clause in the terms and conditions for users of its London
Underground Wi-Fi service, which went live last week, in response to
complaints from privacy campaigners.

Originally, the
T&Cs stated that Virgin Media “may monitor email and internet
communications, including without limitation, any content or material
transmitted over the services”.

The suggestion
that Virgin Media could be snooping on customers’ communications
raised the ire of MPs and privacy campaigners alike, with
conservative MP Robert Halfon suggesting that “a surveillance
society is being created on the Underground”.

I mat ask my IT Management students to
do a statistical study of “settlements.” I suspect there is a
dollar amount that indicates the settlement was to avoid the hassle
of extended legal wrangling that would wind up with no resolution and
another (much?) higher level that suggests “Okay, you got us.
Here's the basic settlement plus a reasonable amount to match a
future fine.”

The FTC alleged
that Spokeo operated as a consumer reporting agency and violated the
FCRA by failing to make sure that the information it sold would
be used only for legally permissible purposes; failing to ensure the
information was accurate; and failing to tell users of its consumer
reports about their obligation under the FCRA, including the
requirement to notify consumers if the user took an adverse action
against the consumer based on information contained in the consumer
report.

… According to
the FTC, Spokeo collects personal information about consumers from
hundreds of online and offline data sources, including social
networks. It merges the data to create detailed personal profiles of
consumers. The profiles contain such information as name, address,
age range, and email address. They also might include hobbies,
ethnicity, religion, participation on social networking sites, and
photos.

The FTC alleges
that from 2008 until 2010, Spokeo marketed the profiles on a
subscription basis to human resources professionals, job recruiters,
and others as an employment screening tool. [“It
takes us a few years to notice this stuff...” Bob]

Note that this may not be the end of
Spokeo’s problems, as the plaintiff in a lawsuit in the Ninth
Circuit has appealed
the court’s dismissal of his case.

"Rep. Darrell Issa (R-CA) has
published a first-draft
Internet Bill of Rights, and it's open for feedback. He wrote,
'While I do not have all the answers, the remarkable cooperation we
witnessed in defense of an open Internet showed me three things.
First, government is flying blind, interfering
and regulating without understanding even the basics. Second, we
have a rare opportunity to give government marching orders on how to
treat the Internet, those who use it and the innovation it supports.
And third, we must get to work immediately because our opponents are
not giving up.' Given the value of taking an active approach agains
prospective laws such as SOPA, PIPA, and ACTA, I think it's very
important to try to spread awareness, participation, and encourage
elected officials to support such things."

Facebook is the normal
way to communicate with people. It may not yet be a fine
place to slap legal papers upon an adversary, however.

In an intriguing case involving a
mother, a daughter, and a bank, a federal judge decided that it's not
yet time for Facebook to become a fine substitute for chasing someone
down a street in order to serve them with papers.

… The problem with buying a new
Windows PC from a big manufacturer such as HP, Lenovo, Dell, or Acer
is the amount of pre-installed software bundled on the machines.
Most of it is useless, and none of it was requested by the buyer,
hence why we refer to it as crapware.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.